Johnny Stinson

SEC110-IT1-11

Denial of Service and Hijacking attacks Since the creation of the internet, computer systems and networks became vulnerable to online attackers. Many of these attacks focus on the actual network structure itself, the main objective being a complete crippling shutdown or crash of the system or network. A vast amount of these attacks are considered “Denial of Service” or DoS attacks. These attacks are concentrated on depriving the user or organization the services and information resources that they would normally have access to. A LAND (Local Area Network Denial) attack is a DoS attack that exploits a vulnerability in a network. It was first discovered in 1997 and has been able to attack many different operating systems, even as recent as Windows XP. The LAND attack sends a TCP SYN packet, which is essentially a message between computers to establish a connection. This SYN packet is “spoofed” or altered in a way that causes the victim’s system to send a reply packet to itself instead of the other computer. This causes the system to enter into an infinite loop, sending and receiving its own packets, ultimately causing it to crash. This attack can cause damage to the network by disabling and denying the use of the compromised systems, thus affecting the availability of the network. To combat and also discover these types of attacks, firewalls should be used to intercept the spoofed packet. It should also be configured to block traffic where the source IP address is the same as the destination IP address. Operating systems should also be updated and patched to fix this security hole. The Ping of Death attack also exploits systems with altered packets. The ping packets it sends are larger and exceed the maximum length. Sending a packet larger than the 65,535 byte limit for IPv4 packet size causes a critical error. When the victim system receives this packet it tries to read it and it causes a buffer overflow, which leads to a system crash. This attack causes the systems to become disabled and the system availability is interrupted. To detect this there are now countermeasures in place that deal with packet sizes. The fix for the problem is to add checks in the reading of the packet. The size of the packet should be determined before reconstructing it for the system to interact with it. If it is larger than the limit, the packet is invalid and ignored. Many firewalls perform this check and can be used for older systems that do not have this bug fixed. This bug is patched in most current operating systems and is considered to be more of a historical attack from the early days of the internet.
The denial-of-service attacks known as “Smurf attack” involves flooding forged ICMP echo request packets, also known as ping packets. On IP networks, a ping packet can be directed to another single machine or to an IP broadcast address, sending the packet across the whole network. These attacks can result in large amounts of ICMP echo reply packets being sent from the outside systems and cause outages and network congestion. This affects the availability of the network, focusing more on the network itself than the affected computers.

The RPC Spoofing Denial of Service attack, nicknamed “Snork” is an attack on a system that aims to render the computer unusable by causing the system to consume 100% CPU usage for an extended period of time. Snork attacks an exploit in the Windows NT framework by sending a spoofed UDP packet to the RPC service (Remote Procedure Call). The Windows NT Remote Procedure Call service replies to bad datagrams sent to User Datagram Protocol (UDP) port 135 with a "Reject" packet addressed to the sender, resulting in a loop of datagrams being sent between the two machines until a packet is dropped. These packets are repeatedly sent in

succession cause the system to consume all available processor and network bandwidth resources for an indefinite length of time. Snork attacks are fairly easy to detect by using a network analyzer, and checking for bad RPC packets. The process RPCSS.EXE will also consume a very noticeable amount of CPU cycles. To prevent this attack the internal ports should be blocked to deny all incoming UDP packets with a destination port of 135. Windows should be patched as listed in Microsoft Security Bulletin MS04-029.

Through your research you should be able to find at least one additional type of attack that could be categorized as a DoS or hijacking attack. Choose one type of attack that is not listed here and describe it. In a Microsoft Word document, describe how the three attacks you have chosen and the additional type of attack are carried out; the damage that they can cause; how they can be discovered; and ways to protect our systems/communications from these attacks.

Works Cited McClure, Stuart, and Joel Scambray. "Cute name belies gravity of latest NT attack." InfoWorld 20.42 (1998): 46H. MasterFILE Premier. EBSCO. Web. 14 Apr. 2011.

Sign up to vote on this title
UsefulNot useful